Attachment #13402 for bug #25537

View | Details | Raw Unified | Return to bug 25537 | Differences between
Collapse All | Expand All




This menu allows you to configure your system's "security profile."  A
security profile is a set of configuration options that attempts to
achieve the desired ratio of security to convenience by enabling and
disabling certain programs and other settings.  The more severe the
security profile, the less programs will be enabled by default; this
is one of the basic principles of security: do not run anything except
what you must.

Please note that the security profile is just a default setting.  All
programs can be enabled and disabled later by editing or adding the
appropriate line(s) to /etc/rc.conf.  For more information on the
latter, please see the rc.conf(5) manual page once you have installed
FreeBSD.

Following is a table that describes what each security profile does.
The columns are the choices you have for a security profile, and the
rows are the program or feature that is enabled or disabled.

               Extreme        High           Moderate       Low
inetd          NO             NO             YES            YES
sendmail       NO             YES            YES            YES
sshd           NO             YES            YES            YES
portmap        NO             NO             [1]            YES
NFS server     NO             NO             YES            YES
securelevel    YES (2) [2]    YES (1) [2]    NO             NO

NOTES:

[1] The portmapper is enabled if the machine has been configured as an
    NFS client or server earlier in the installation.

[2] For Extreme, the securelevel is set to 2; for High, it is set to
    1.  If you choose either of these, you must be aware of the
    implications of securelevel.  Please read the init(8) manual page and
    the FAQ, or you may have problems performing such tasks as
    installing a new kernel, changing the system date, or upgrading to a
    later version of FreeBSD.

WARNING: The security profile is not a silver bullet!  Setting it high
does not mean you do not have to keep up with security issues by
reading an appropriate mailing list (one where the security advisories
are sent), using good passwords and passphrases, and generally
adhering to good security practices.  It simply sets up the desired
security to convenience ratio out of the box.

You can always change any of these settings by editing or adding the
appropriate line(s) to /etc/rc.conf.

Return to bug 25537

Added Link Here

(-)help/secprofile.hlp (+47 lines)
1	This menu allows you to configure your system's "security profile." A
2	security profile is a set of configuration options that attempts to
3	achieve the desired ratio of security to convenience by enabling and
4	disabling certain programs and other settings. The more severe the
5	security profile, the less programs will be enabled by default; this
6	is one of the basic principles of security: do not run anything except
7	what you must.
8
9	Please note that the security profile is just a default setting. All
10	programs can be enabled and disabled later by editing or adding the
11	appropriate line(s) to /etc/rc.conf. For more information on the
12	latter, please see the rc.conf(5) manual page once you have installed
13	FreeBSD.
14
15	Following is a table that describes what each security profile does.
16	The columns are the choices you have for a security profile, and the
17	rows are the program or feature that is enabled or disabled.
18
19	Extreme High Moderate Low
20	inetd NO NO YES YES
21	sendmail NO YES YES YES
22	sshd NO YES YES YES
23	portmap NO NO [1] YES
24	NFS server NO NO YES YES
25	securelevel YES (2) [2] YES (1) [2] NO NO
26
27	NOTES:
28
29	[1] The portmapper is enabled if the machine has been configured as an
30	NFS client or server earlier in the installation.
31
32	[2] For Extreme, the securelevel is set to 2; for High, it is set to
33	1. If you choose either of these, you must be aware of the
34	implications of securelevel. Please read the init(8) manual page and
35	the FAQ, or you may have problems performing such tasks as
36	installing a new kernel, changing the system date, or upgrading to a
37	later version of FreeBSD.
38
39	WARNING: The security profile is not a silver bullet! Setting it high
40	does not mean you do not have to keep up with security issues by
41	reading an appropriate mailing list (one where the security advisories
42	are sent), using good passwords and passphrases, and generally
43	adhering to good security practices. It simply sets up the desired
44	security to convenience ratio out of the box.
45
46	You can always change any of these settings by editing or adding the
47	appropriate line(s) to /etc/rc.conf.